🛠️ Backend Engineering Essentials

Design APIs interviewers respect: resource modeling, the right status codes, idempotency, pagination, versioning, error envelopes, and when to reach for gRPC or GraphQL over REST. Contract-first thinking and the resilience patterns that wrap every call.

Keep authentication (who you are) and authorization (what you can do) distinct, then design both right: sessions vs stateless JWTs and the revocation tradeoff, OAuth2 grant types with Authorization Code + PKCE as the modern default, OIDC as the identity layer, passkeys for phishing-resistant login, and RBAC/ABAC/ReBAC with enforcement at the edge.

The database knowledge an SDE-2 is expected to own: SQL vs NoSQL by access pattern, ACID vs BASE, normalization tradeoffs, B-tree indexing and the leftmost-prefix rule, reading EXPLAIN, killing N+1 and full scans, transaction isolation and locking, replication lag, and why you delay sharding.

Cache to cut latency and offload the origin — the layers (browser, CDN/edge, Redis, DB), the patterns (cache-aside, read/write-through, write-behind), invalidation and eviction, Redis data structures and persistence, and the failure modes that bite in production: stampede, penetration, hot keys, and big keys.

Decouple services with events instead of blocking calls. Messaging primitives — queue vs pub/sub vs log — and why Kafka's append-only log changes the game. Partitions, offsets, consumer groups, delivery semantics, idempotent consumers, the transactional outbox, DLQs, and stream processing with windowing and exactly-once.

The models that let one service handle thousands of in-flight requests: thread pools and their sizing, async/event-loop I/O, virtual threads, reactive streams with backpressure, and structured concurrency. Plus the hazards — races, deadlock, visibility — and how to reason about them.

The hard truths of running many services: the real microservices tradeoff, the fallacies that bite you, CAP/PACELC and consistency models, consensus and quorums, service discovery and mesh, why 2PC is avoided and Sagas win, and the resilience patterns that keep partial failure from becoming total failure.

The backend security a senior is expected to reason about: how the TLS handshake actually works, symmetric vs asymmetric crypto, why passwords need salted slow hashes, secrets management, the OWASP Top 10 with one-line mitigations, XSS/CSRF, and the Zero Trust model that replaced castle-and-moat.

Tell monitoring apart from observability, master the three pillars — structured logs, metrics (RED/USE, cardinality traps), and distributed traces with W3C context propagation — instrument once with OpenTelemetry, and run the SLI/SLO/error-budget loop that gates releases and kills alert fatigue.

How modern services actually ship: containers vs VMs, multi-stage Docker builds, Kubernetes objects and probes, rolling/blue-green/canary deploys, serverless tradeoffs, infrastructure-as-code, GitOps reconciliation, and the 12-factor principles that make all of it work.

Integrate LLMs like any other remote dependency — non-deterministic, slow, and costly. Call shape (system + messages), tokens, streaming, retries and 429 backoff, structured output. Then model routing, embeddings + vector search, RAG end to end, tool calling, and the production concerns: prompt injection, hallucination, evals, observability, and semantic caching.